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racy of cellular services. A service provider assigns a 
unique "secret", along with other information such as a 
telephone number, to each cellular telephone when the 
telephone service is established with the service pro- 
vider. Each base station of a service provider continu- 
ously broadcasts a periodically changing random num- 
ber to all of the cellular telephones within the base 
station's jurisdiction. When a cellular telephone first 
enters the jurisdiction of a base station, it registers itself 
with the base station by concatenating a secret pass- 
word and the most recently broadcast random number, 
along with other information, and passing the concate- 
nated information to a hash function. The cellular tele- 
phone then sends the output of the hash function, along 
with other identifying information to the service pro- 
vider. The service provider, upon learning of the cellu- 
lar telephone's identity, feeds the secret assigned to that 
cellular telephone and the random number, along with 
other information, into the same hash function. When 
the result of the hashing performed by the service pro- 
vider matches that provided by the cellular telephone, 
authentication for that cellular telephone is complete. 
Thereupon, the provider sends the cell a shared secret 
data field which is known to the mobile unit, and subse- 
quent authentication processes are carried out between 
the mobile unit and the cell itself. 

39 Claims, 7 Drawing Sheets 
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SERVICE PROVISION AUTHENTICATION 
PROTOCOL 

BACKGROUND OF THE INVENTION 

This invention relates to authentication protocols and 
more particularly to protocols for insuring validity of 
communicating radio-telephones and the like. 

In conventional telephony each telephone set (fax 
unit, modem, etc) is physically connected to a unique 
port on a switch at a local central office. The connec- 
tion is through a dedicated wire, or through a desig- 
nated channel on a dedicated wire. The wire connection 
is installed by the service provider (who, typically, is 
the common carrier) and, therefore, the service pro- 
vider can be reasonably sure that transmission on the 
channel arrives from the subscriber. By comparison, 
authentication of a subscriber in wireless telephony is 
less certain. 

Under the current cellular telephony arrangement in 
the United States, when a cellular telephone subscriber 
places a call, his or her cellular telephone indicates to 
the service provider the identity of the caller for billing 
purposes. This information is not encrypted. If an inter- 
loper eavesdrops at the right time, he or she can obtain 
the subscriber's identification information. This in- 
cludes the subscriber's phone number and the electronic 
serial number (ESN) of the subscriber's equipment. 
Thereafter, the interloper can program his or her cellu- 
lar telephone to impersonate that bona fide subscriber to 
fraudulently obtain services. Alternately, an interloper 
can inject himself into an established connection, over- 
power the customer's cellular telephone equipment by 
transmitting more power, and redirect the call to his or 
her purposes by sending certain control codes to the 
service provider. Basically, such piracy will succeed 
because the service provider has no mechanism for 
independently authenticating the identity of the caller at 
the time the connection is established and/or while the 
connection is active. 

Technology is available to permit an eavesdropper to 
automatically scan all of the cellular frequencies in a 
given cell for such identification information. Conse- 
quently, piracy of cellular telephone services is ram- 
pant. Also, the lack of enciphering of the speech signals 
lays bare to eavesdroppers the content of conversations. 
In short, there is a clear and present need for effective 
security measures in the cellular telephony art, and that 
suggests the use of cryptology for the purposes of en- 
suring authentication and privacy. 

Several standard cryptographic methods exist for 
solving the general sort of authentication problem that 
exists in cellular telephony, but each turns out to have 
practical problems. First, a classical challenge/response 
protocol may be used, based on a private key crypto- 
graphic algorithm. In this approach, a subscriber's mo- 
bile station is issued with a secret key which also known 
by the home system. When a serving system wishes to 
authenticate a subscriber, it applies to the home system 
for a challenge and a response to use with the given 
subscriber. The home system composes a random chal- 
lenge and applies a one-way function to the challenge 
concatenated with the subscribers key to obtain the 
corresponding response. The challenge and response 
are supplied to the serving system, which issues the 
challenge to the mobile station. The mobile station in 
turn replies with the response, which it calculates from 
the challenge and from its stored secret key. The serv- 
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ing system compares the responses supplied by the 
home system and by the mobile station, and if they 
match, the mobile station is deemed authentic. 
The problem with this approach is that often the 

5 serving system is unable to contact the home system 
quickly enough to allow authentication of a call setup, 
or that the database software on the home system is 
unable to look up the subscriber's secret key and com- 
pose the challenge/response pair quickly enough. Net- 

10 work or software delays of a second or two would add 
that much dead time till the subscriber hears a dial tone 
after picking up the handset when placing a call, and 
longer delays (given the control networks and switch- 
ing apparatus currently used by cellular providers) 

15 would be common. In the present milieu, such delays 
are unacceptable. 

Public key cryptography provides another standard 
class of ways for solving authentication problems. Gen- 
erally speaking, each mobile station would be provided 
with a "public key certificate** of identity, signed by the 
public key of the service provider, stating that the mo- 
bile station is a legitimate customer of the service pro- 
vider. In addition, each mobile would also be given 

25 secret data (private keys) which it can use, together 
with the certificate, to prove to third parties (such as the 
serving system) that it is a legitimate customer. 

For example, service provider could have a pair of 
RSA keys, (F,G), with F private and G public. The 

30 service provider could supply each mobile with its own 
pair (D,E) of RSA keys, together with F(E) (the en- 
cryption of the mobile's public key E using the provid- 
er's private key F). Then a mobile asserts its identity by 
sending (E,F(E)) to the serving system. The serving 

35 system applies G to F(E) to obtain E. The serving sys- 
tem generates a challenge X, encrypts it with the mo- 
bile's public key E to obtain E(X) which it sends to the 
mobile. The mobile applies its private key D to E(X) to 
obtain X, which it sends back to the server in the clear 

40 as a response. 

Although some variations on this theme involve less 
computation or data transmission than others, no public 
key authentication scheme yet exists which is efficiently 
executable in less than a second's time on the sort of 

45 hardware currently used in cellular telephones. Even 
though network connectivity between the serving and 
home systems is not needed at the moment of authenti- 
cation, as it is in the classical approach, the same time 
• constraints which rule out the classical approach also 

50 rule out the public key approach. 

Another technique is proposed by R. M Needham 
and M. D. Schroeder in Using Encryption for Authentica- 
tion in Large Computer Networks, Comm. of the ACM, 
Vol. 21, No. 12, 993-999 (Dec. 1978). In brief, the Need- 

55 ham-Schroeder technique requires that a third, trusted, 
party (AS) should serve as an authentication server 
which distributes session keys to the prospective parties 
(A and B) who are attempting to establish secure com- 
munications. The protocol is as follows: when party A 

60 wishes to communicate with party B, it sends to authen- 
tication server AS his own name, the name of party B 
and a transaction identifier. Server AS returns the name 
of party B, a session key, the transaction identifier and a 
message encrypted with B's key. All that information is 

65 encrypted with A's key. Party A receives the informa- 
tion, decrypts it, selects the portion that is encrypted 
with B's key and forwards that portion to party B. Party 
B decrypts the received messages and find it the name 
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of party A and the session key. A last check (to prevent FIG. 10 illustrates the three stage process for en- 

"replays") is made by party B issuing a challenge to crypting and decrypting selected control and data mes- 

party A and party A replies, using the session key. A sages; and 

match found at party B authenticates the identity of FIG. 11 presents a block diagram of a mobile unit's 

party A. 5 hardware. 

SUMMARY OF THE INVENTION DETAILED DESCRIPTION 

The security needs of cellular telephony are met with In a mobile cellular telephone arrangement there are 
an arrangement that depends on a shared secret data many mobile telephones, a much smaller number of 
field. The mobile unit maintains a secret that is assigned 10 cellular radio providers (with each provider having one 
to it by the service provider, and generates a shared or m °re base stations) and one or more switching net- 
secret data field from that secret. The service provider w <> rk providers (common carriers). The cellular radio 
also generates the shared secret data field. When a mo- providers and the common carriers combine to allow a 
bile unit enters the cell of a base station, it identifies cellular telephone subscriber to communicate with both 
itself to the base station, and supplies to the base station 15 cellular and non-cellular telephone subscribers. This 
a hashed authentication string. The base station consults arrangement is depicted diagrammatically in FIG. 1, 
with the provider, and if it is determined that the mobile ^ here common earner I and common earner II corn- 
unit is a bona fide unit, the provider supplies the base bme to £ orm a switching network comprising switches 
station with the shared secret data field. Thereafter the 10 T 14 - Stationary units 20 and 21 are connected to 
mobile unit communicates with the base station with the 20 switch 10, mobile units 22 and 23 are free to roam and 
assistance of authentication processes that are carried staUons connectcd '° swl f chcs 1Q 7 14 - 
out between the mobile unit and the base station, using *f e f?™\ 30 " 34 belon 8 * Provider 1, base stations 
the shared secret data field. 35 and 36 belong t0 P rovider 2 « base st *ion 37 belongs 

One feature of this arrangement is that the various „ ^ Provider 4, and base stations 38-W belong to pro- 
base stations do not have access to the secret that was 25 vider 3. For purposes of this disclosure, a bas^ station is 
installed in the mobile unit by the provider. Only the ^^IJTa^^Z ^ ,7* V™* iiT 
base stations which successfully interacted with the 1*^^ 

mobile unit have the shared secret data field; and that E^fc^'S ™ A ^ftp i ' P ' 

« A , . , . ' ,. base stations 30, 31, ana 32 in rIG. 1. 

number can be limited by the provider simply by direct. 3Q ^ mobile unh has m electrQnic seriaJ number 

mg the mobile unit to create a new shared secret data (ESN) ^ fe ^ tQ ^ unjt The E$N number ^ 

* t JL iL installed in the unit by the manufacturer, at the time the 

Another feature of th,s arrangement is that the more ^ is buih (for ^ [n a read ^ nly . mcmory) , md it 

elaborate authentication process that utilizes the secret, is unaltera ble. It is accessible, however. 

which is more time consuming and which takes place 35 When a customer desires t0 establish a ^ ^ 

only through involvement of the provider, occurs infre- count for g mobiie unil that the customer owns or 

quently; when a mobile unit first enters the cell (or IeaseSj the service provider to the customer a 

when it is suspected that the shared secret data field has phcme number mm designation), an area code desig- 

been compromised). nation (MIN2 designation) and a "secret" (A-key). The 

Call originations, call terminations, and other func- 40 MINI and MIN2 designations are associated with a 

tions are authenticated using essentially the same au- gi ven CGSA of the prov ider and all base stations in the 

thentication protocol and the same hashing function. pjG. 1 arrangement can identify the CGSA to which a 

The few differences manifest themselves in the infonna- particular MIN2 and MINI pair belongs. The A-key is 

tion that is hashed. known only to the customer's equipment and to the 

BRIED DESCRIPTION OF THE DRAWING 45 P rovider ' s CGSA processor (not explicitly shown in 

FIG. 1). The CGSA processor maintains the unit's 

FIG. 1 illustrates an arrangement of network provid- ESN, A-key, MINI and MIN2 designations and what- 

ers and cellular radio providers interconnected for ser- e ver other information the service provider may wish to 

vice to both stationary and mobile telephones and the have. 

like; 50 With the MINI and the MIN2 designations and the 

FIG. 2 depicts the process for directing the creation A-key installed, the customer's unit is initialized for 

of a shared secret data field and the verification of same; service when the CGSA processor sends to the mobile 

FIG. 3 depicts the registration process in a visited unit a special random sequence (RANDSSD), and a 

base station, for example, when the mobile unit first directive to create a "shared secret data" (SSD) field, 

enters the cell serviced by the base station; 55 The CGSA sends the RANDSSD, and the SSD field 

FIG. 4 shows the elements that are concatenated and generation directive, through the base station of the cell 

hashed to create the shared secret data; where the mobile unit is present. Creation of the SSD 

FIG. 5 shows the elements that are concatenated and field follows the protocol described in FIG. 2. 

hased to create the verification sequence; As an aside, in the FIG. 1 arrangement each base 

FIG. 6 shows the elements that are concatenated and 60 station broadcasts information to all units within its cell 

hashed to create the registration sequence when the on some preassigned frequency channel (broadcast 

mobile unit goes on the air; band). In addition, it maintains two way communica- 

FIG. 7 shows the elements that are concatenated and tions with each mobile unit over a mutually agreed, 

hased to create the call initiation sequence; (temporarily) dedicated, channel. The manner by which 

FIG. 8 depicts the speech encryption and decryption 65 the base station and the mobile unit agree on the corn- 
process in a mobile unit; munications channel is unimportant to this invention, 

FIG. 9 shows the elements that are concatenated and and hence it is not described in detail herein. One ap- 

hashed to create the re-authentication sequence; proach may be, for example, for the mobile unit to scan 
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all channels and select an empty one. It would then send 
to the. base station its MIN2 and MINI designations 
(either in plaintext form or enciphered with a public 
key), permitting the base station to initiate an authenti- 
cation process. Once authenticated communication is 
established, if necessary, the base station can direct the 
mobile station to switch to another channel. 

As described in greater detail hereinafter, in the 
course of establishing and maintaining a call on a mobile 
telephony system of this invention, an authentication 
process may be carried out a number of times through- 
out the conversation. Therefore, the authentication 
process employed should be relatively secure and sim- 
ple to implement. To simplify the design and lower the 
implementation cost, both the mobile unit and the base 
station should use the same process. 

Many authentication processes use a hashing func- 
tion, or a one-way function, to implement the processes. 
A hashing function performs a many-to-one mapping 
which converts a "secret" to a signature. The following 20 
describes one hashing function that is simple, fast, effec- 
tive, and flexible. It is quite suitable for the authentica- 
tion processes of this invention but, of course, other 
hashing functions can be used. 



15 



The Jumble Process 

The Jumble process can create a "signature 1 * of a 
block of d "secret" data words, b(i), with the aid of a 
k-word key x(j), where d, i, j, and k are integers. The 
"signature" creation process is carried out on one data 
word at a time. For purposes of this description, the 
words on which the Jumble process operates are 8 bits 
long (providing a range from 0 to 255, inclusive), but 
any other word size can be employed. The "secret" data 
block length is incorporated in the saw tooth function 

s<l(i) = i for 0^t^d-\ 

s<Hi) = ld-2-t for dZ:Z2d-3, and 

for all t. 

This function is used in the following process where, 
starting with z=0 and i=0, for successively increasing 
interger values of i in the range 0= 6d — 5, 
a) b(sd(i)) is updated by: 

HMi))-ltsAQ)+M!ti+SBOJWImad 256 



25 



30 



55 



where 

Uis i modulo k, SBOX(z)=y+[y/2048] mod 256, 
y=(zei6)(z+lll)(z), 

[y/2048] is the integer portion of y divided by 2048, 
and © represents the bit-wise Exclusive-OR func- 
tion; and 

b) z is updated with: z=z+b(sd(i)) mod 256. 

It may be appreciated that in the process just de- 
scribed there is no real distinction between the data and 
the key. Therefore, any string that is used for authenti- 
cation can have a portion thereof used as a key for the 
above process. Conversely, the data words concate- 
nated with the key can be considered to be the "authen- 60 
tication string". It may also be noted that each word 
b(i), where 0^i<d is hashed individually, one at a time, 
which makes the hashing "in place". No additional 
buffers are needed for the hashing process per se. 

The process just described can be easily carried out 65 
with a very basic conventional processor, since the only 
operations required are: shifting (to perform the divi- 
sion by 2048), truncation (to perform the 0 function and 



the mod 256 function), addition, multiplication, and 
bit-wise Exclusive-OR functions. 

Returning to the SSD field initialization process of 
FIG. 2, when a RANDSSD sequence and the directive 
5 to create a new SSD field (arrow 100 in FIG. 2) are 
received by the mobile station, a new SSD field is gen- 
erated in accordance with FIG. 4. The mobile unit 
concatenates the ESN designation, the A-key, and the 
RANDSSD sequence to form an authentication string. 
50 The authentication string is applied to Jumble block 101 
(described above) which outputs the SSD field. The 
SSD field comprises two subfields; the SSD-A subfield 
which is used to support authentication procedures, and 
the SSD-B subfield which is used to support voice pri- 
vacy procedures and encryption of some signaling mes- 
sages (described below). It may be noted that a larger 
number of SSD subfields can be created; either by sub- 
dividing the SSD field formed as described above or by 
first enlarging the SSD field. To increase the number of 
bits in the SSD field one needs only to start with a 
larger number of data bits. As will be appreciated from 
the disclosure below, that is not a challenging require- 
ment. 

The home CGSA processor knows the ESN and the 
A-key of the mobile unit to which the received MIN2 
and MINI designations were assigned. It also knows the 
RANDSSD sequence that it sent. Therefore, the home 
CGSA processor is in position to duplicate the SSD 
field creation process of the mobile unit. By concatenat- 
ing the RANDSSD signal with the ESN designation 
and the A-key, and with the above-described Jumble 
process, the CGSA processor creates a new SSD field 
and partitions it into SSD-A and SSD-B subfields. 
However, the SSD field created in the home CGSA 
processor must be verified. 

In accordance with FIG. 2, verification of the created 
SSD field is initiated by the mobile unit. The mobile unit 
generates a challenge random sequence (RANDBS 
40 sequence) in block 102 and sends it to the home CGSA 
processor through the serving base station (the base 
station that serves the area in which the mobile unit is 
located). In accordance with FIG. 5, the home CGSA 
processor concatenates the challenge RANDBS se- 
quence, the ESN of the mobile unit, the MINI designa- 
tion of the mobile unit, and the newly created SSD-A to 
form an authentication string which is applied to the 
Jumble process. In this instance, the Jumble process 
creates a hashed authentication signal AUTHBS which 
is sent to the mobile station. The mobile station also 
combines the RANDBS sequence, its ESN designation, 
its MINI designation and the newly created SSD-A to 
form an authentication string that is applied to the Jum- 
ble process. The mobile station compares the result of 
its Jumble process to the hashed authentication signal 
(AUTHBS) received from the home CGSA processor. 
If the comparison step (block 104) indicates a match, the 
mobile station sends a confirmation message to the 
home CGSA processor indicating the success of the 
update in the SSD field. Otherwise, the mobile station 
reports on the failure of the match comparison. As an 
aside, it is possible that the serving system, acting as an 
agent for the home CGSA, could respond to the chal- 
lenge from the mobile unit, if the home GCSA were to 
send a copy of the newly generated SSD-A to the serv- 
ing system along with the RANDSSD sequence it used 
to create it. 



30 



35 



45 
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Having initialized the mobile station, the SSD field 
remains in force until the home CGS A processor directs 
the creation of a new SSD field. That can occur, for 
example, if there is reason to believe that the SSD field 
has been compromised. At such a time, the home 5 
CGSA processor sends another RANDSSD sequence 
to the mobile unit, and a directive to create a new SSD 
field. 

As mentioned above, in cellular telephony each base 
station broadcasts various informational signals for the 10 
benefit of all of the mobile units in its cell. In accor- 
dance with FIG. 1 management, one of the signals 
broadcast by the base station is a random or pseudoran- 
dom sequence (RAND sequence). The RAND se- 
quence is used by various authentication processes to 15 
randomize the signals that are created and sent by the 
mobile units. Of course, the RAND sequence must be 
changed periodically to prevent record/playback at- 
tacks. One approach for selecting the latency period of 
a RAND signal is to make it smaller than the expected 20 
duration of an average call. Consequently, a mobile 
unit, in general, is caused to use different RAND signals 
on successive calls. 

In accordance with one aspect of this invention, as 
soon as the mobile unit detects that it enters a cell it 25 
registers itself with the base unit so that it can be authen- 
ticated. Only when a mobile unit is authenticated can it 
initiate calls, or have the base station direct calls to it. 

When the mobile unit begins the registration process 
it accepts the RAND sequence broadcast by the base 30 
station and, in turn, it sends to the serving base station 
its MINI and MIN2 designations and its ESN sequence 
(in plaintext) as well as a hashed authentication string. 
According to FIG. 6, the hashed authentication string is 
derived by concatenating the RAND sequence, the 35 
ESN sequence, the MINI designation and the SSD-A 
subfield to form an authentication string; and applying 
the authentication string to the Jumble process. The 
hashed authentication string at the output of the Jumble 
process is sent to the serving base station together with 40 
the ESN sequence. 

In some embodiments, all or part of the RAND se- 
quence used by the mobile unit is also sent to the serving 
base station (together with the ESN sequence and the 
MINI and M1N2 designations), because the possibility 45 
exists that the RAND value has changed by the time the 
hashed authentication string reaches the base station. 

On the base station side, the serving base station 
knows the RAND sequence (because the base station 
created it) and it also knows the ESN and the MIN2 and 50 
MINI designations with which the mobile unit identi- 
fied itself. But, the serving base station does not know 
the SSD field of the mobile unit. What it does know is 
the identity of the mobile unit's home CGSA processor 
(from the MINI and MIN2 designations). Conse- 55 
quently, it proceeds with the authentication process by 
sending to the mobile unit's home CGSA processor the 
MINI designation, the ESN sequence, the hashed au- 
thentication string that the mobile unit created and 
transmitted, and the RAND sequence that the serving 60 
base station broadcast (and which the mobile unit incor- 
porated in the created hashed authentication string). 
From the mobile unit's MINI designation and ESN 
sequence the home CGSA processor knows the mobile 
unit's identity and, hence, the mobile unit's SSD-A 65 
subfield. Therefore it can proceed to create an authenti- 
cation string just as the mobile unit did, and apply it to 
the Jumble process (FIG. 6). If the hashed authentica- 
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tion string created by the mobile unit's home CGSA 
processor matches the hashed authentication string 
created in the mobile unit and supplied by the serving 
base station, then verification is deemed successful. In 
such a case, the home CGSA processor supplies the 
serving base station with the unit's SSD field. As an 
aside, to keep the ESN designation and the SSD field 
secure, the communication between the base stations 
and the CGSA processor is carried in encrypted form. 

In the above-described protocol, the mobile unit's 
CGSA processor attempts to verify the validity of the 
hashed authentication string. When the verification is 
unsuccessful, the CGSA processor informs the serving 
base station that the mobile unit was not authenticated 
and may suggest that either the contact with the mobile 
unit be dropped or that the mobile unit be directed to 
retry the registration process. To retry the registration 
process the home CGSA processor can either continue 
participation in the authentication process or it can 
delegate it to the serving base station. In the tatter alter- 
native, the serving base station informs the home CGSA 
processor of the ESN sequence and the MINI designa- 
tion of the mobile unit, and the CGSA processor re- 
sponds with the SSD field of the mobile unit and the 
RANDSSD with which the SSD field was created. 
Authentication, in the sense of creating a hashed au- 
thentication string and comparing it to the hashed au- 
thentication string sent by the mobile unit, is then car- 
ried out by the serving base station. A retry directive 
can then be carried out without the home CGSA pro- 
cess by the serving station sending the RANDSSD to 
the mobile unit. This "registration* 1 protocol is depicted 
in FIG. 3. 

Once the mobile unit has been "registered" at the 
serving base station (via the above-described process) 
the serving base station possesses the ESN and the SSD 
field of the mobile unit, and subsequent authentication 
processes in that cell can proceed in the serving base 
station without reference to the home CGSA proces- 
sor — except one. Whenever, for any reason, it is desir- 
able to alter the SSD field, communication is effectively 
between the home CGSA processor and the mobile 
unit; and the serving base station acts only as a conduit 
for this communication. That is because creation of a 
new SSD field requires an access to the secret A-key, 
and access to the A-key is not granted to anyone by the 
CGSA processor. Accordingly, when a new SSD field 
is to be created and the mobile unit is not in the area of 
the home CGSA, the following occurs: 
the home CGSA processor creates a RANDSSD 

sequence and alters the SSD field based on that 

RANDSSD sequence, 
the home CGSA processor supplied the serving base 

station with the RANDSSD sequence and the 

newly created SSD field, 
the serving base station directs the mobile unit to alter 

its SSD field and provides the mobile unit with the 

RANDSSD sequence, 
the mobile unit alters the SSD field and sends a chal- 
lenge to the serving base station, 
the serving base station creates the AUTHBS string 

(described above) and sends it to the mobile unit, 

and 

the mobile unit verifies the AUTHBS string and in- 
forms the serving base station that both the mobile 
unit and the serving base station have the same 
SSD fields. 
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Having been registered by the serving base station, 
the mobile unit can initiate calls with an authentication 
process as depicted in FIG. 7. The call initiation se- 
quence concatenates signals RAND, ESN, SSD-A and 
at least some of the called party's identification (phone) 5 
number (MIN3 in FIG. 7). The concatenated signals are 
applied to the Jumble process to develop a hashed au- 
thentication sequence that can be verified by the serving 
base station. Of course, to permit verification at the 
serving base station, the called party's identification 10 
number must also be transmitted in a manner that can be 
received by the base station (and, as before, perhaps a 
portion of the RAND signal), i.e., in plaintext. Once the 
authentication sequence is verified, the base station can 
process the call and make the connection to the called 15 
party. 

The protocol for connecting to a mobile unit when it 
is a "called party" follows the registration protocol of 
FIG. 6. That is, the serving base station requests the 
called mobile station to send an authentication sequence 20 
created from the RAND sequence, ESN designation, 
MINI designation and SSD-A subfield. When authenti- 
cation occurs, a path is set up between the base station 
and the called party mobile unit, for the latter to receive 
data originating from, and send data to, the mobile unit 25 
(or stationary unit) that originated the call. 

It should be noted that all of the authentications de- 
scribed above are effective only (in the sense of being 
verified) with respect to the authenticated packets, or 
strings, themselves. To enhance security at other times, 30 
three different additional security measures can be em- 
ployed. They are speech encryption, occasional re- 
authentication, and control message encryption. 

Speech Encryption ^ 

The speech signal is encrypted by first converting it 
to digital form. This can be accomplished in any number 
of conventional ways, with or without compression, 
and with or without error correction codes. The bits of 
the digital signals are divided into successive groups of 40 
K bits and each of the groups is encrypted. More specif- 
ically, in both the mobile unit and the base station the 
RAND sequence, the ESN and MINI designations, and 
the SSD-B subfield are concatenated and applied to the 
Jumble process. The Jumble process produces 2K bits 45 
and those bits are divided into groups A and B of K bits 
each. In the mobile unit group A is used for encrypting 
outgoing speech, and group B is used for decrypting 
incoming speech. Conversely in the base station, group 
A is used for decrypting incoming speech and group B so 
is used for encrypting outgoing speech. FIG. 8 depicts 
the speech encryption and decryption process. 

Re-authentication 

At the base station's pleasure, a re-authentication 55 
process is initiated to confirm that the mobile unit 
which the base station believes is active, is, in fact, the 
mobile unit that was authorized to be active. This is 
accomplished by the base station requesting the mobile 
unit to send a hashed authentication sequence in accor- 60 
dance with FIG. 9. With each such request, the base 
station sends a special (RANDU) sequence. The mobile 
unit creates the hashed authentication sequence by con- 
catenating the RANDU sequence, the area code MIN2 
designation of the mobile unit, the ESN designation, the 65 
MINI designation and the SSD-A designation. The 
concatenated string is applied to the Jumble process, 
and the resulting hashed authentication string is sent to 
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the base station. As an aside, the hashed sequence may 
also include the dialed digits so as to make the hijacking 
of the channel even more difficult. The base station, at 
this point, is in a position to verify that the hashed au- 
thentication string is valid. 

Control Message Cryptosystem 

The third security measure deals with ensuring the 
privacy of control messages. In the course of an estab- 
lished call, various circumstances may arise that call for 
the transmission of control messages. In some situations, 
the control messages can significantly and adversely 
affect either the mobile station that originated the call 
or the base station. For that reason, it is desirable to 
encipher (reasonably well) some types of control mes- 
sages sent while the conversation is in progress. Alter- 
nately, selected fields of chosen message types may be 
encrypted. This includes "data" control messages such 
as credit card numbers, and call redefining control mes- 
sages. This is accomplished with the Control Message 
Cryptosystem. 

The Control Message Cryptosystem (CMC) is a sym- 
metric key cryptosystem that has the following proper- 
ties: 

1) it is relatively secure, 

2) it runs efficiently on an eight-bit computer, and 

3) it is self-inverting. 

The cryptographic key for CMC is an array, 
TBOX[z], of 256 bytes which is derived from a "secret" 
(e.g., SSD-B subfield) as follows: 

1. for each z in the range 0Sz<256, set TBOX[z]=z, 
and 

2. apply the array TBOX[z] and the secret (SSD-B) to 
the Jumble process. 

This is essentially what is depicted in elements 301, 302 
and 303 in FIG. 8 (except that the number of bits in 
FIG. 8 is 2K rather than 256 bytes). 

Once the key is derived, CMC can be used to encrypt 
and decrypt control messages. Alternately, the key can 
be derived "on the fly" each time the key is used. CMC 
has the capability to encipher variable length messages 
of two or more bytes. CMC's operation is self-inverting, 
or reciprocal. That is, precisely the same operations are 
applied to the ciphertext to yield plaintext as are applied 
to plaintext to yield ciphertext. Thus, a two-fold appli- 
cation of the CMC operations would leave the data 
unchanged. 

In the description that follows it is assumed that for 
the encryption process (and the decryption process) the 
plaintext (or the ciphertext) resides in a data buffer and 
that CMC operates on the contents of that data buffer 
such that the final contents of the data buffer constitute 
the ciphertext (or plaintext). That means that elements 
502 and 504 in FIG. 10 can be one and the same register. 

CMC is comprised of three successive stages, each of 
which alters each byte string in the data buffer. When 
the data buffer is d bytes long and each byte is desig- 
nated by b(i), for i in the range 0^i<d: 
I. The first stage of CMC is as follows: 

1. Initialize a variable z to zero, 

2. For successive integer values of i in the range 
0^i<d 

a. form a variable q by: q=z@ low order byte of i, 
where ® is the bitwise boolean Exclusive-OR 
operator, 

b. form variable k by: k=TBOX[q], 

c. update b(i) with: b(i)=b(i)+k mod 256, and 

d. update z with; z = b(i)-f z mod 256. 
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II. The second stage of CMC is: 

1. for all values of i in the range 0^i<(d-l)/2: 
b(i)=b(i)0Cb(d-l-i) OR 1), where OR is the 
bitwise boolean OR operator. 

III. CMC's final stage is the decryption that is inverse of 5 
the first stage: 

1. Initialize a variable z to zero, 

2. For successive integer values of i in the range 
0£i<d 

a. form a variable q by: q=zQ low order byte of i, 10 

b. form variable k by: k=TBOX[q], 

c. update z with: z=b(i)+z mod 256, 

d. update b(i) with: b(i)=b(i)-k mod 256. 

The three stage process employed to encrypt and de- 
crypt selected control and data messages is illustrated in IS 
FIG. 10. In one preferred embodiment the first stage 
and the third stage are an autokey encryption and de- 
cryption, respectively. An autokey system is a time- 
varying system where the output of the system is used 
to affect the subsequent output of the system. For fur- 20 
ther reference regarding cryptography and autokey 
systems, see W. Diffie and M. E. Hellman, Privacy and 
Authentication: An Introduction to Cryptography, Proc. of 
the I.E.E.E., Vol. 67, No. 3, March 1979. 

25 

Mobile Unit Apparatus 

FIG. 11 presents a block diagram of a mobile unit 
hardware. It comprises a control block 200 which in- 
cludes (though not illustrated) the key pad of a cellular 
telephone, the hand set and the unit's power control 30 
switch. Control block 200 is connected to processor 210 
which controls the workings of the mobile unit, such as 
converting speech signals to digital representation, in- 
corporating error correction codes, encrypting the out- 
going digital speech signals, decrypting incoming 35 
speech signals, forming and encrypting (as well as de- 
crypting) various control messages, etc. Block 210 is 
coupled to block 220 which comprises the bulk of the 
circuitry associated with transmission and reception of 
signals. Blocks 200-220 are basically conventional 40 
blocks, performing the functions that are currently per- 
formed by commercial mobile telephone units (though 
the commercial units do not carry out encrypting and 
decrypting). To incorporate the authentication and 
encryption processes disclosed herein, the apparatus of 45 
FIG. 11 also includes a block 240 which comprises a 
number of registers coupled to processor 210, and a 
"personality" module 230 that is also coupled to proces- 
sor 210. Module 230 may be part of the physical struc- 
ture of a mobile telephone unit, or it may be a remov- 50 
able (and pluggable) module that is coupled to the mo- 
bile telephone unit through a socket interface. It may 
also be coupled to processor 210 through an electro- 
magnetic path, or connection. In short, module 230 may 
be, for example, a "smart card". 55 

Module 230 comprises a Jumble processor 231 and a 
number of registers associated with processor 231. Al- 
ternately, in another preferred embodiment, only the 
A-Key is in the module 230. A number of advantages 
accrue from installing (and maintaining) the A-key, and 60 
the MINI and MIN2 designations in the registers of 
module 230, rather than in the registers of block 240. It 
is also advantageous to store the developed SSD field in 
the registers of module 230. It is further advantageous 
include among the registers of module 230 any needed 65 
working registers for carrying out the processes of pro- 
cessor 231. By including these elements in module 230, 
the user may carry the module on his person to use it 
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with different mobile units (e.g. "extension'* mobile 
units) and have none of the sensitive information be 
stored outside the module. Of course, mobile units may 
be produced with module 230 being an integral and 
permanent part of the unit. In such embodiments, Jum- 
ble processor 231 may be merged within processor 210. 
Block 240 stores the unit's ESN designation and the 
various RAND sequences that are received. 

Although the above disclosure is couched in terms of 
subscriber authentication in a cellular telephony envi- 
ronment, and that includes personal communication 
networks which will serve portable wallet sized hand- 
sets, it is clear that the principles of this invention have 
applicability in other environments where the commu- 
nication is perceived to be not sufficiently secure and 
where impersonation is a potential problem. This in- 
cludes computer networks, for example. 
We claim: 

1. A method, carried out by a customer unit that 
maintains a code sequence, for establishing a communi- 
cations channel with a base station, comprising the steps 
of: 

receiving from the base station a digital signal se- 
quence; 

developing a string which includes the code se- 
quence, the digital signal sequence, and a sequence 
of bits that is characteristic of the customer unit; 
hashing the string to develop a hashed string; and 
using the hashed string in further communications 
with the base station. 

2. The method of claim 1 wherein said sequence of 
bits that is characteristic of the customer unit includes a 
bit string that is unique to the customer unit hardware 
(ESN designation) and a bit string that is assigned to 
said unit as a customer of a service provider (MIN 
designation). 

3. The method of claim 1 wherein said step of devel- 
oping the hashed string is carried out pursuant to a 
directive from said base station. 

4. The method of claim 1 including a step of initiating 
the steps of receiving, developing, hashing and using 
said hashed string when said base station desires to 
direct said customer unit to create a replacement for 
said hashed string. 

5. The method of claim 1 further comprising the step 
of enciphering customer data signals with the aid of a 
portion of said hashed string. 

6. The method of claim 1 wherein said step of using 
the hashed string in further communication employs the 
hashed string in a plurality of communications sessions 
through the communication channel. 

7. The method of claim 1 further comprising the steps 
of: 

creating a challenge string, 
transmitting the challenge string, 
forming an authentication string that comprises the 
challenge string, said sequence of bits that is char- 
acteristic of the customer unit, and at least a por- 
tion of the hashed string; 
hashing the authentication string to form a hashed 

authentication string; 
receiving a verification string in response to said step 

of transmitting the challenge string; 
comparing the received verification string with the 

hashed authentication string; and 
transmitting results of said step of comparing. 

8. The method of claim 1 further comprising a step of 
verifying that the base station recognizes the hashed 
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string developed by said customer unit to be a valid 
hashed string. 

9. The method of claim 8 wherein said step of verify- 
ing comprises the steps of: 

developing a challenge sequence; 5 

sending said challenge sequence to said base station; 

forming an authentication string from a concatena- 
tion of said challenge sequence, said hashed string 
and selected other information; 

hashing said authentication string to form a hashed 1° 
authentication string; 

receiving a hashed signal from said base station that is 
related to said challenge sequence sent to said base 
station; 

comparing said hashed authentication string with said 15 

hashed signal; and 
reporting to said base station results of said step of 

comparing. 

10. A method, carried out by a customer unit that 
maintains a code sequence, for establishing a communi- 
cations channel with a base station, comprising the steps 
of: 

receiving from the base station a digital signal se- 
quence; 25 

developing a string which includes the digital signal 
sequence, a sequence of bits that is characteristic of 
said customer unit and a key derived from the code 
sequence; 

hashing the string to develop a hashed string; and ^ 
sending the hashed string to the base station. 

11. The method of claim 10 wherein said base station 
has no knowledge of said code sequence. 

12. The method of claim 10 wherein the sequence of 
bits is nonsecret. 35 

13. The method of claim 10 wherein the customer 
unit is mobile and the base station is non-mobile. 

14. The method of claim 10 wherein the established 
communication channel is a wireless communication 
channel. 40 

15. The method of claim 10 wherein the established 
communication channel is a cellular radio communica- 
tion channel. 

16. The method of claim 10 further comprising the 
steps of determining that the mobile customer unit has 45 
entered the jurisdiction of the base station. 

17. The method of claim 10 wherein said step of send- 
ing the hashed string also sends at least a portion of said 
string. 

18. The method of claim 10 including a step of initiat- 50 
ing the steps of receiving, developing, hashing and 
sending said hashed string when said customer unit 
desires to initiate a call. 

19. The method of claim 10 including a step of initiat- 
ing the steps of receiving, developing, hashing and 55 
sending said hashed string when said base station desires 

to activate said customer unit to receive a call. 

20. The method of claim 10 including a step of initiat- 
ing the steps of receiving, developing, hashing and 
sending said hashed string when said base station desires 60 
to re-authenticate said customer unit. 

21. A method, carried out by a customer unit that 
maintains a code sequence, for establishing a communi- 
cations channel with a base station that has no knowl- 
edge of said code sequence, comprising the steps of: 65 

(a) receiving from said base station a digital signal 
sequence; 

(b) developing a string which includes 
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(1) a substring containing a sequence of bits that is 
characteristic of said customer unit, 

(2) a substring that is related to a specified action to 
be taken by said customer unit, which substring 
is selected from a set comprising 

(i) a null string, 

(ii) a string of bits corresponding to a number 
assigned to said customer unit, and 

(iii) a string corresponding to the number of 
another customer unit to which connection is 
sought, 

(3) a substring containing said digital signal se- 
quence, and 

(4) a substring containing a key derived from said 
code sequence; 

(c) hashing said string to develop a hashed string; and 

(d) sending said hashed string to said base station. 

22. The method of claim 21 further comprising a step 
of receiving from said base station an indication of the 
action to be taken by said customer unit. 

23. The method of claim 21 wherein the sequence of 
bits that is characteristic of the customer units com- 
prises the customer unit's phone number. 

24. The method of claim 21 wherein the sequence of 
bits that is characteristic of the customer units com- 
prises the customer unit's electronic serial number. 

25. A customer unit for communicating with a sys- 
tem, said customer unit including first means (200) for 
developing call initiation control signals and call 
progress control signals second means (210, 230, 240) 
responsive to said call initiation control signals and call 
progress control signals for establishing and maintaining 
a communication channel with said system in accor- 
dance with a protocol third means (200) for creating 
data signals, and fourth means (220) for applying the 
data signals and the call control signals to said commu- 
nication channel, said second means CHARACTER- 
IZED BY: 

a processor responsive to said third means and said 
fourth means; 

means A (a register in block 240) for developing an 
identifier signal that is unique to said customer unit; 

means B for storing (240) a temporary string signal 
(RAND) received from said system; 

means C for storing (232) an identifier signal (MIN) 
supplied by an owner of said system, a code se- 
quence key signal (A-key) supplied by said owner 
of said system, an authentication key signal (SSD- 
A), and a speech encryption key signal (SSD-B); 

means D (231) responsive to said processor for hash- 
ing an applied string and developing thereby a 
hashed output; 

means E for applying said authentication key to 
means D. 

26. The customer unit of claim 25 wherein said tem- 
porary string maintained in means B is repetitively up- 
dated from a signal provided by said fourth means. 

27. The customer unit of claim 26 wherein the time 
duration between successive updates of said temporary 
string is less than the expected time duration between 
the application of call initiation control signals. 

28. The customer unit of claim 25 wherein said pro- 
cessor, upon receipt of a signal from said fourth means 
that directs the creation of a new authentication key 
signal and a new speech key signal, applies hashed out- 
put signals of means D to means C to modify said au- 
thentication key signal and said speech key signal. 
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29. The customer unit of claim 28 wherein the hashed 
output of means D is a multi-bit binary word, one por- 
tion of said binary word constitutes said authentication 
key signal, and another portion of said binary word 
constitutes said speech key signal. 

30. The customer unit of claim 25 wherein at least the 
portion of means C that stores the code sequence key 
signal is in a removable module. 

31. The customer unit of claim 30 wherein said mod- 
ule is adapted to be connected to said processor via 
electrical contacts. 

32. The customer unit of claim 30 wherein said mod- 
ule is adapted to be connected to said processor via 
electromagnetically coupled connections. 

33. A method carried out by a communications sys- 
tem for establishing a communications channel with a 
customer unit comprising the steps of: 

maintaining an authentication key of said customer 
unit; 

receiving a first hashed authentication string from 

said customer unit; 
forming a local authentication string by combining 

said authentication key with other information; 
hashing said local authentication string to form a 

local hashed authentication string; and 
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comparing said local hashed authentication string 
with the first hashed authentication string. 

34. The method of claim 33 further comprising the 
step of maintaining a designation of said customer unit 

5 that is provided to said system and is unique to said unit 
(MIN) and a code sequence designation of said cus- 
tomer unit (A-key). 

35. The method of claim 34 further comprising the 
step of maintaining an ESN designation of said unit. 

10 36. The method of claim 35 further comprising the 
steps of: 
developing a number; 
transmitting said number; 

developing said authentication key by hashing a 
15 string comprising said number, said ESN designa- 
tion and said code sequence designation of said 
customer unit in accordance with a hashing func- 
tion. 

37. The method of claim 33 further comprising the 
20 steps of 

developing a number; and 
broadcasting said number to said customer unit. 

38. The method of claim 37 wherein said number is 
pseudorandom. 

25 39. The method of claim 37 wherein said number is 
random. 
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